<html>
<head>
<title>Send a 3rd party iframe document via XHR</title>
<script type="text/javascript" src="/shared/scripts/testcase.js"></script>
<script type="text/javascript">
if (window.addEventListener) {
	window.addEventListener('load', f, false);
} else if (window.attachEvent) {
	window.attachEvent('onload', f);
} else {
	window.onload = f;
}

function f() {
	var tc = new TestCase();
	tc.input = 'xhr.send(same_ifr...document); xhr.send(cross_ifr...document);';
	tc.description = 'Determine if sending an iframe\'s document as a param clears any origin flags.';
	tc.expected_result = "undefined";
	tc.savePreTest(send_doc);
}
	
	
function send_doc(xhr, tc) {
	var ifr_same = document.getElementById('ifr_same');
	var doc = tc.getOriginDocument(ifr_same);
	tc.output += '\nSAME ORIGIN\n';
	try {
		tc.output += 'direct access to same domain iframe document allowed: ' + doc + '\n';
	} catch(e) {
		tc.output += 'direct access to same domain iframe document forbidden: ' + tc.outputException(e);
	}
	tc.sendRequest('POST', '/showRequest', doc, logsame_callcross);
}

function logsame_callcross(xhr, tc) {
	tc.output += xhr.responseText; 
	tc.output += '\nCROSS ORIGIN\n';
	var ifr_cross = document.getElementById('ifr_cross');
	var doc = tc.getOriginDocument(ifr_cross);
	try {
		tc.output += 'direct access to cross domain iframe document allowed: ' + doc + '\n';
	} catch(e) {
		tc.output += 'direct access to cross domain iframe document forbidden: ' + tc.outputException(e);
	}
	tc.sendRequest('POST', '/showRequest', doc, logcross_savetest);
}

function logcross_savetest(xhr, tc) {
	var request = xhr.responseText;
	tc.output += request;
	
	var doc_in_resp = request.indexOf('Forbidden');
	if (doc_in_resp != -1) {
		tc.result = 'data found';
		tc.test_passed = 'false';
	} else {
		tc.result = 'undefined';
		tc.test_passed = 'true';
	}

	tc.saveTest(); // save the test results.
}
</script>
</head>
<body>
	<iframe id="ifr_same" src="/allowed.html"></iframe>
	<iframe id="ifr_cross" src="http://victim.com/forbidden.html"></iframe>
</body>
</html>